Exchangemaster GmbH company logo

Exchangemaster GmbH - A Swiss IT Consultancy
Services
References
Partners
Contact
Getting Started
FAQs
Presentations
Articles
Community
Search
Popular
Tell-a-Friend
Follow Me

Follow exchangemaster on Twitter

Who's Online
We have 95 guests online
Syndicate
FAQ 000087 - ActiveSync reports HTTP 500 error PDF Print E-mail
User Rating: / 1098
PoorBest 
Written by Dejan Foro   
Nov 17, 2010 at 06:07 PM

This article applies to:
Windows 2003, Windows 2008 R2
Exchange 2010 SP1, Exchange 2013, Exchange 2013 SP1 
iPhone iOS2, iOS3, iOS4, iOS5, iOS6, iOS7
Android
Windows Mobile 
All mobile devices using ActiveSync  


PROBLEM
When you try to synchronize your ActiveSync device with Exchange Server you receive the following error.
     Cannot Get Mail. The connection to the server failed.


TROUBLESHOOTING
A very good tool for troubleshooting Active Sync problems is Microsoft Remote Connectivity Analyzer  a free tool from Microsoft.

When you run the ActiveSync test with this tool, you might receive the following error:
     Exchange ActiveSync returned an HTTP 500 response


CAUSE 1

User does not have proper permissions applied in Active Directory. This typically occurs if when a user mailbox is moved from Exchange 2003
- Start/All Programs/Administrative Tools/Active Directory User and Computers
- Turn on the Advanced View by selecting View/Advanced Features (this has to be turned on in order for you to be able to see Advanced User Properties which are not visible in normal mode.
- Right click the User, select Properties. On the Security tab, click on Advanced button.
- At the bottom there is an option "Include inheritable permissions from the objects parent". Turn on the option.


CAUSE 2
The problem with missing permissions mentioned above can also occur if the user is a member of special protected built-in group in Windows. If this is the case, even if you turn on the option Include inheritable permissions from the objects parent you might find out that after about an hour this option is turned off again.
This is being reset by the AdminSDHolder process in Active Directory which scans the AD every 1 hour.
Which groups are treated as protected, varies, depending on the Windows operating system version you have. Here is how you can get information which groups are affected and weather your specific user is member of such groups:


Windows 2008 R2
You can use built in PowerShell commands.
To get the list of protected users:
     Get-ADuser -LDAPFilter "(admincount=1)" | select DistinguishedName

To get the list of protected groups:
     Get-ADgroup -LDAPFilter "(admincount=1)" | select DistinguishedName


Windows 2008
There are no built in PowerShell commandlets but you can use the free commandlets available in Active Directory Role Management tool  from Quest
To get the list of protected users:
     Get-QADuser -LDAPFilter "(admincount=1)"
To get the list of protected groups:
     Get-QADGroup -LDAPFilter "(admincount=1)"

Windows 2000/2003/2008/2008R2
You can use a free ADfind tool 
     Adfind.exe -b DC=domain,DC=com -f "&(objectcategory=person)(objectclass=user)(admincount=1)" -dn
     Adfind.exe -b DC=domain,DC=com -f "&(objectcategory=group)(admincount=1)" -dn


SOLUTION A
Create and additional ordinary user who is not a member of any protected groups and use this user for your Exchange mailbox and ActiveSync.


SOLUTION B
If you don't want to use multiple accounts as suggested in the solution above, you can use ADSI Edit to set the admincount attribute to 0. This will exempt the individual account from the AdminSDHolder process. As a result inheritable permissions option will not be changed for the user in the future.

To set the admincount attribute: 
- On your domain controller open the ADSI Edit tool. Select Start/All Programs/Administrative Tools/ADSI Edit.
- Connect to Default naming context 
- Find the user, right-click and select Properties. On the list of properties find the admincount attribute and set it to 0.

After that, enable permission inheritance on the User in Active Directory Users and Computers:
- Select Start/All Programs/Administrative Tools/Active Directory User and Computers
- Turn on the Advanced View by selecting View/Advanced Features (this has to be turned on in order for you to be able to see Advanced User Properties which are not visible in normal mode.
- Right click the User, select Properties. On the Security tab, click on Advanced button.
- At the bottom there is an option "Include inheritable permissions from the objects parent". Turn on the option.



CAUSE 3
ISA Server and its flood mitigation functionality blocks communication with the domain controllers thus preventing authentication of ActiveSync users.
ISA has a built in flood mitigation functionality which serves as defense against flood attacks. It monitors the number of different connections from an individual IP addresses. If the number of connections exceeds the value defined in policy, ISA considers this to be a potential flood attack and blocks the communication with that specific IP address.
If your ISA is member of domain and you have forms based authentication turned on, there will be quite a lot of traffic between ISA server and the Domain Controllers, and this can trigger the flood mitigation. Blocked communication between ISA and the domain controller's means ISA will not be able to authenticate users properly causing in the end things like Exchange ActiveSync to fail.

In the ISA Server Monitoring under Alerts you might see the following message:
"Current number of TCP connections limit from one IP exceeded", listing the IP addresses of your domain controllers.

SOLUTION 3
Add an exception for Domain Controllers under the flood mitigation settings.
Open ISA Management console and go to Array / Configuration / General / Additional Security / Policy / Configure Flood Mitigation Settings. Under IP Exceptions tab enter your domain controllers.


FURTHER RECOMMENDED READING
Technet article: AdminSDHolder, Protected Groups and SDPROP 

Last Updated ( Mar 14, 2014 at 09:05 AM )
<Previous   Next>